Another take on passwords: entropy vs length

Shortly after writing about password strength, Linkedin managed to loose 6.5 million hashed passwords. The hashes have been made public by the crackers responsible for the attack. Posting so many password hashes in public is quite interesting. For starters, the hashes can be analyzed. Now we can read in the news what the most popular passwords for Linkedin are. After reading this list, it is pretty clear to me that there are many people who simply do not care about the security of their Linkedin accounts. Some companies were also extremely fast to provide extra tools such as  Linkedin password checker – I guess a case like this is good advertisement for LastPass.

As you can imagine, I was less-than-amused to find out my password was leaked, too. Granted, only the SHA-1 hash was leaked and my password was a random string. However, the geniuses at Linkedin forgot to salt the password hashes, making them easier to crack. I also do not quite understand why it took Linkedin longer to send me a warning email than Lastpass to write the password checker tool.

After changing my password and making sure I did not re-use this password on other sites, I started reading some more articles about password strength. One of the more interesting ideas was to pad random passwords with easy to remember strings. The article argues the password “D0g…………………” has the same length as the completely random “PrXyc.N(n4k77#L!eVdAfp9” but is much easier to remember. The latter has a much higher entropy which is usually considered as more secure. However, the author claims that padding passwords with easy to remember strings does not make them less safe unless the cracker knows the padding system. If the system used to pad the password is not known to the attacker, brute force is the only valid strategy to crack the password. The author concludes that password length beats entropy in most cases.

I agree with the basic conclusions of the GRC password strategy. However, looking at the most popular cracked passwords list cited above, I believe most people will just use very few padding strategies. Once these are known, password crackers can update the brute force algorithms to make guesses for the padding, effectively decreasing the security of these passwords.

Advertisements

Gapingvoid – On Mastery

Hugh McLeod is making an important point in his blog post On Mastery. He argues that truly successful people do not become successful by chance. They achieve success by becoming masters of their trade. Hugh McLeod concludes that mastery is nothing glamorous but rather stems from repetitive practice and continuous improvement until perfection.

We commonly think of success as getting promoted to the next rung of the corporate career ladder or becoming a media star. This “conventional” success depends a lot on luck and the goodwill of other people – external factors outside of our control.

Success based on mastery as described by Hugh McLeod, however, does not depend on luck nor people’s admiration. Less dependent on external influence, striving for mastery is a more reliable way to happiness than succumbing to the popular measures of success.